I have one of these routers, excuse me while I panic/check the vulnerability.
Edit: Checked. It sure leaks the password in plaintext to a simple curl call. I have no words.
(1) It's not clear: the docs mention an Annex working but it's not the same as the one the hardware provides?
"get_getnetworkconf.cgi -> Another very funny one that gives us the WIFI password without the need for authentication."
It lists several other issues, as well as the default admin login.
Too bad everything seems to be locked down in the name of security these days, and even the slightest gaps seem to cause a lot of panic. I miss those days of essentially free Internet everywhere...
Fortunately, and hopefully, the awakened situation is going to be solved, WPA3 supports encryption on an open AP. Also, WPA3 offers forward secrecy, the traffic cannot be decrypted by passive monitoring unless the attacker is also a Man-in-the-Middle.
BTW, as tyingq said, copyright is a factor, but I think laws in generally are a bigger problem. Under the laws of many jurisdictions, the Wi-Fi user may be responsible for all the legal consequences of other people who is using his/her Wi-Fi. Routing the guest AP over an anonymous VPN connected via Tor may be a solution to the legal challenge, but a legal issue needs a real legal solution.
If you are interested in sharing your Wi-Fi, read https://openwireless.org/
I strongly believe in internet access as a human right.
The problem is, this is one of those ISPs that have an extra SSID on their CPEs for "free" internet, think Xfinity, but this wasn't Comcast, and this vulnerability stems from an HTTPd misconfiguration, so if you can access the equipment's HTTPd (all you need to do is a single, unauthenticated request, so, really any access will do), you've got full access.
I went through some trouble to contact, via third parties, an insider at this ISP with the power to get things fixed - they did fix the remote part (via the aforementioned firewall whitelisting), but I was told, in no uncertain terms, that they didn't care enough to fix the root of the issue, as long as it wasn't massively exploitable, and it wasn't public.
I like my freedom/money too much to publicize details, and so it's still there, all these years later. I wonder how many vulnerabilities like this are out there, fully known by the vendors/providers, but nothing gets done about them because people are too scared to disclose, until eventually someone comes along and blows the whistle, or the equipment is obsoleted?
I always see an ISP-provided router as a hazardous & untrusted device. If it offers bridged PPPoE, I would configure it so it works as a pure modem, even it means breaking into the telnet console. Otherwise, I would rather put my own router behind it, double-NAT and firewall it out of my own network.
In Germany, the Choice and Connection of Telecommunication Terminal Devices Act have been passed with the support of free and open source community, which ensure a user can use their own router to connect a broadband network.
The simplest of them have a webinterface. If that's leaky, there goes the whole thing because any website can try to connect to it.
I've seen many modems with a web interface, but it's often not routable to the public Internet in actual use, as the connection was bridged and the job of getting a public IP has been delegated to the PPPoE connection on the router behind it (You need to add another network interface, assign a IP address on your router inside the LAN segment under the control of the modem to reach it).
Some modems have a management link, it can be described as an universal ISP backdoor, only reachable in the ISP's LAN.
But in both cases, it's still better than a modem/router combined unit.
Maybe they went for offshort design/manufacturing, that's plausible since most box~ are now mediacenters so basically 80% like any internet tv box on ebay.
Don't know how custom the hardware is, but the firmware appears to be.
Lots of them were mitigated due to other bugs preventing you from actually reaching the code when you pass funny input, or the code turns out to be unused (random unused code in your binaries is a big code smell). It was functional: they clearly made sure it all worked. But if you would try to do anything outside of the happy flow, it would bug. The customer also had quite a fight over getting the source code (instead of binaries) in the first place.
I didn't expect it to do that, so that was a bit of a surprise.
This is also the moment a customer will straight up deny the existence of ethernet cables or claim to have never heard of any Internet-related device that does not use WiFi.
To satisfy these customers, you need to be able to either read out the WiFi password or have some way to push a new one. As it's just plain easier to just allow full-on access to the modem GUI for their customer service agents, it's often possible to read any passwords or settings from the help desk.
I shall write something about it one day, just to immortalize it!
Also, CG-Nat is a HORRIBLE technology that causes lots of problems for subscribers all fo the sake of allowing an ISP to sell their IPV4 space off at a premium and pump up their numbers if a quarter demands it.
I'm with Virgin cable in the UK and they are going to IPv6 soon ... but with DS-Lite, so CG-NAT for IPv4 (yay, I can't connect back to my home VPN if I'm on an IPv4 only network) but native IPv6 (sort of yay).
You then also have the issues with online services, IP bans etc. etc. etc.
CG-NAT is nothing to be cheered on, and is worse than useless for "security".
I'm paying for internet service, I don't want some locked-down system that can't receive inbound connections.
So you trust the ISP to implement CG-NAT properly when they can’t manage to secure a simple CPE router?
CG-NAT has so many issues for consumers that will end up hoisted onto other services/applications support departments. The internet is not a one way street and there are many legitimate reasons for listening ports that I’m surprised anybody would push for CG-NAT.
I can’t even imagine trying to be get through to an ISP to fix their CG-NAT issue. It’s hard enough to get them to fix routing issues without being established on an industry mailing list or having an existing contact.
Nobody wants the AOL internet of yesteryear and IMO CG-NAT is just a step in that direction.